1. Field of the Invention
The present invention relates to a method and a system for identifying and notifying unauthorized access to data network services.
2. Description of the Prior Art
A data communications network is increasingly becoming an essential component of every organization. This component is often critical enough to require constant monitoring to ensure proper performance and authorized accesses. Various data network management tools exist for this purpose. The management tools interrogate data network devices to gather information about the device and its environment. At present, the most pervasive tool is the Simple Network Management Protocol (SNMP)—a standard implemented in network nodes to publish information for the purposes of data network management.
The model assumed by SNMP is a central management station and a number of data collection points, known to the skilled artisan as software agents, or simply as agents. The agents are instructed by the management station as to what information to collect. The management stations then collect this information from the agents through SNMP. The data and functions that the agent supports are specified in a well known data structure called a Management Information Base (MIB). The MIB specifies which variables the management station contains, such as the information that can be queried and set by the management station.
This queried information often includes information that is sensitive to the organization and should be directed only through a Network Management Console (NMC)—a device which manages the data network. Given the increasing security consciousness of organizations these days, there is sometimes reluctance on the part of the Network Operations Console (NOC), also referred to as the network administrators, to enable the SNMP service on the data network.
Although there is an authentication system built into the SNMP protocol to prevent unauthorized accesses, it is rendered useless if the authentication passwords have been compromised. If the SNMP service has been enabled at various nodes in the data network for the sole purpose of communicating with an NMC for data network management, the NOC may want to be aware of “out-of-the-ordinary” accesses of service nodes in the data network. Such “out-of-the-ordinary” accesses might be indicative of possible security breaches by any unauthorized users within the data network. This assumes added significance in the light of the CERT® (Computer Emergency Response Team) Advisory on SNMP, issued Feb. 12, 2002 by the CERT® Coordination Center, which has caused increased scrutiny in the use of SNMP within a data network.
One solution to prevent unauthorized accesses is the use of a firewall. Essentially, a conventional firewall is a data network node having the capability of blocking off access from a node, or a plurality of nodes, within the data network to a service, or a plurality of services, provided by another node, or a plurality of nodes, within the data network. The main purpose of a firewall is to protect a networked entity, i.e., a corporation's intranet, from unauthorized accesses while permitting authorized accesses. In essence, the firewall separates an interconnected data network into a “trusted network” and an “untrusted network”. Specifically, the firewall is concerned with the data interaction between the two data networks.
Although it is theoretically possible to construct a data network such that there is a firewall between every trusted group of computers, it is not the general practice. Rather, a single firewall typically exists within any given intranet. Even in situations where such a data network exists, there may still be accesses within a “trusted” network that are unauthorized and require attention. For example, within a Human Resources (HR) department, there could be a new recruit or a co-op student who may have access to all the machines within the department. Meanwhile, the person is only authorized to access certain machines from their node in the data network. A firewall would not detect such accesses. While a firewall could be suitably placed to achieve the same result, such an implementation would be costly as further hardware is required. Furthermore, an implementation where a separate firewall is utilized every 3 to 4 network devices throughout the corporate data network, or intranet, is not practical for most organizations.
In the prior art, the published international patent application, WO 98/27502, by Anderson of Intel Corporation, discloses a method and an apparatus for remote network access logging and reporting that intercepts an access request made by a client system in a network. According to the Intel publication, the intercepted access request is identified and sent to a centralized log server in the network. In response, the centralized log server sends an access list to the client system to compare the access request to the access list. If the access request does not conflict with the access list then client system is granted access to a host system. However, this prior art system requires the provision of a centralized log server and the installation a logging dynamic link library (DLL) at each client system in the network. The logging DLL is a specialized logging mechanism which requires specific intelligence to intercept logging requests and which invariably delays access requests made by client systems to host systems. The installation of the logging DLL at each client system and the requirement for a centralized logging server as part of the network adds a level of complexity and cost in deploying such a system. Moreover, given that the intelligence of the logging DLL is specialized, its functionality is not pre-existing at the client system. Thus, to support the Intel system, the logging DLL must be installed at each client system. There is a need therefore in the art to provide a network management tool that takes advantage of pre-existing network capabilities and intelligence at each node in a network to identify unauthorized accesses. The installation of a centralized logging server and a logging DLL at each client system in the network, as taught by the Intel publication, does not fulfill this need.
In view of the above-noted shortcomings, the present invention seeks to provide a system and a method identifying unauthorized accesses to a data network service by a user node in the data network. The present invention further seeks to provide a system and a method embodied in an NMC or a similar data network management system.